Research
-
Multiple groups exploit WinRAR CVE-2025-8088 using Alternate Data Streams since July 2025
Multiple state-backed and criminal groups have exploited the high severity WinRAR path traversal CVE-2025-8088 since July 18, 2025. Exploits hide payloads in Alternate Data Streams and can drop persistent launchers to Startup folders.
-
Pakistan-linked campaigns use new tradecraft to target Indian government in September 2025
Two campaigns codenamed Gopher Strike and Sheet Attack targeted Indian government entities in September 2025 using phishing and legitimate services for command and control. Malware included a Golang downloader, GitHub-based backdoors and a loader for Cobalt Strike.
-
Over 6,000 SmarterMail servers exposed and likely vulnerable to critical auth bypass
Shadowserver found more than 6,000 SmarterMail servers exposed and likely vulnerable to CVE-2026-23760, a critical authentication bypass that can reset admin passwords and allow remote code execution. A vendor fix was released in build 9511.
-
New MaaS Stanley promises phishing extensions on Chrome Web Store
A technical analysis found the Stanley MaaS offers Chrome extensions that overlay phishing iframes and promises to pass Chrome Web Store review. The service includes auto-install, persistent C2 polling, geotargeting, and a paid Luxe plan.
-
Phishing campaign in India deploys Blackmoon variant and SyncFuture TSM
Security researchers found a phishing campaign targeting Indian taxpayers that uses fake Income Tax Department notices to deliver a multi stage backdoor which installs a Blackmoon variant and SyncFuture TSM for persistent remote access.
-
Git dependencies can bypass npm ignore-scripts protections, researchers find
Koi Security found that Git dependencies can circumvent npm’s –ignore-scripts protection and allow code execution. Several JavaScript package managers patched the flaws but npm closed the report and did not apply a fix
-
Konni uses AI generated PowerShell malware to target blockchain developers
Konni used AI generated PowerShell malware to target blockchain developers in Japan, Australia and India, using spear-phishing with LNK files and multi stage loaders to deploy a persistent backdoor, according to a Check Point Research technical report.
-
Multi-stage phishing campaign in Russia delivers Amnesia RAT and ransomware via GitHub and Dropbox
A multi-stage phishing campaign observed in Russia delivers Amnesia RAT and Hakuna Matata ransomware. The chain uses GitHub and Dropbox for payload staging and disables Defender before stealing data and encrypting files.
-
Sandworm used DynoWiper in failed cyber attack on Poland power system
ESET technical analysis said Sandworm used a new wiper called DynoWiper in an unsuccessful attack on Poland’s power system on December 29 and 30 2025. Targets included CHP plants and a renewable generation management system.
-
Malicious VSCode extensions with 1.5 million installs exfiltrate developer data
Two malicious Visual Studio Code extensions installed about 1.5 million times read and transmit open files and workspace data to China based servers, the technical analysis by Koi Security reports.
